Hi, I’ve created a custom action that runs as part of the Login flow and as part of the onExecutePostLogin, I’m forming a custom URL and calling api.redirect.sendUserTo. The login experience works as I expect but I’m not seeing a “Success Login” log entry like I do with the Logout/Signup for this same Application, or Logins for another one of my Applications.
The redirect points to an endpoint that I don’t own and so is a bit of a black box in that I can’t send users back to the Auth0 /continue endpoint and so don’t handle onContinuePostLogin.
Should I be concerned about this seeing as I don’t require additional user interaction beyond the standard login form?
Hi @dan.woda, thanks for the reply. I’m new to this and slightly drowning in some of the concepts and complexity so any help is very much appreciated!
I was originally using a Rule as part of the login flow setting context.redirect to my Url and then returning the callback function with the context as an argument. This worked well but my understanding is Actions are preferable to Rules going forward so I rewrote my Rule as an Action. I guess my Rule was also resulting in an incomplete login process.
For background, I’m trying to implement Shopify’s Multipass login and as per the docs, I need to redirect users to https://SHOPIFY_DOMAIN/account/login/TOKEN (where TOKEN is what I’m successfully generating in my Action) after Auth0 authentication has taken place.
Weirdly the result of both the Rule and the Action achieve what I’m hoping for in that I’m logged into my application (app A), the redirect takes place and the authentication session is shared across both app A and another application, app B. Logout also works as expected. My assumption is that despite this, the issue must be addressed as without returning to the /continue endpoint, no further Actions in the Flow will run.
I also noticed the same technique I’m using is used for the downtime page example here, but I assume returning the user to /continue is just omitted for brevity?
It appears this example is not logging the user in but is redirecting them to a generic outage page without authentication.
The important point is that an Access Token/ID Token will not be issued if Actions aren’t completed.
I’m not previously familiar with multipass, but it appears you should be sending your users there from your application, not from Actions/Rules. Are you following a guide that is telling you to do this?
I’m following this technique. I originally created a Rule very similar to the one in the article (which was working well, but only on the face of it!) and have now migrated my Rule to an Action instead.
And that downtime example seems to imply to me that the redirect happens as part of a successful login flow?
It uses the api.redirect.sendUserTo() method to redirect the user to the given URL after they log in. Keep in mind that users will see the downtime page only after logging in successfully.
In this example, the user never finishes the authentication pipeline and the application is never issued a token from the auth server…
I can see how this is misleading. The user’s credentials are verified, but similarly does not complete the entire pipeline, and is never issued a token. Saying the user is logged in is somewhat of a semantic issue but should be revisited. I’ll notify the author.
As for what you should do, it seems to me that you should be completing the transaction with Auth0. After which your application will be issued a set of tokens, and your application should handle the token creation and request to shopify. Does that make sense?